HSTS Header in AWS ELB Security

Although ELBs doesn’t’s support HSTS header but this doesn’t mean it will drop that header and not let them pass through. So yes, you can still implement it in your website/applicationthus enhancing the security. Let’s discuss this in more detail in this article.

What is HSTS ?

HSTS, short for HTTP Strict Transport Security, is a security feature used by websites to ensure that all communication between your web browser and the website is secure. It works by instructing your browser to always use a secure HTTPS connection when connecting to the website, even if you type “http://” in the address or click on a non-secure link.

By enabling HSTS, websites protect against certain types of attacks that could compromise the security of your connection. It prevents attackers from downgrading the connection to an insecure protocol or intercepting your communication.

Once your browser receives the HSTS instruction from a website, it remembers it for a certain period of time. From that point on, whenever you visit the same website, your browser will automatically redirect you to the secure HTTPS version. This ensures that all your interactions with the website are encrypted and secure.

In simpler terms, HSTS is a security measure that helps websites make sure your connection is always secure, protecting your information from potential attackers.

Do we really need HSTS or other Security Headers ?

HTTP security headers enhance the privacy and security of a web application while safeguarding it against client-side vulnerabilities. The prevalent HTTP security headers encompass:

  • Referrer Policy
  • Strict Transport Security (HSTS)
  • Content Security Policy (CSP)
  • X-Content-Type-Options
  • X-Frame-Options
  • X-XSS-Protection

AWS ELB (Classic Load Balancer, Application Load Balancer and Network Load Balancer) currently doesn’t support HSTS. HSTS is specified by a Web Application on the Back-end through the use of a special response header (the Strict-Transport-Security HTTP response header field) and force Clients to be able to direct their User Agents to interact with given sites only over secure connections.

As of now, ELB natively does not support HSTS. HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application using a special response header. Since it is an application level configuration, it needs to be enabled only on the back-end server(s) (targets).

There is a workaround for HSTS to operate with an ELB and that is to enable HSTS on the backend Amazon EC2 instance. The ELB will forward the “Strict-Transport-Security” header to clients without altering it.

Will it going to be supported by AWS ELB in future ?

Since it is much needed feature so AWS seems to be working on it and get it enabled soon in ELBs. As of now there is no ETA but we can keep checking out on

Further, if you are using ALB, there would be another option to use CloudFront service in front of the ALB (since ALB does not support HSTS). Kindly refer the following article to learn more

Is there any other AWS service supporting it ?

CloudFront supports it ! If you are using CF in front of ALB, you. can make use of it. CloudFront response header policies allow you to add one or more HTTP security headers to a response from CloudFront. You can use the managed security headers response policy that includes pre-defined values for the most common HTTP security headers. Or, you can create a custom response header policy with custom security headers and values that can be added to the required CloudFront behaviour.


Create a custom response headers policy from AWS console

  1. Open the CloudFront console.
  2. From the navigation menu, choose Policies. Then, choose Response headers.
  3. Choose Create response headers policy.
  4. Under Security headers, select each of the security headers that you want to add to the policy. Add or select the required values for each header.
  5. Under Custom headers, add the custom security headers and values that you want CloudFront to add to the responses.
  6. Fill out other fields as required. Then, select Create.

Attach response headers policy to a cache behavior

After you create a response headers policy, attach it to a cache behavior in a CloudFront distribution. To attach a managed or custom security headers response policy to an existing CloudFront distribution:

  1. Open the CloudFront console.
  2. Choose the distribution you want to update.
  3. Under the Behaviors tab, select the cache behavior you want to modify. Then, choose Edit.
  4. For Response headers policy, choose SecurityHeadersPolicy or choose the custom policy that you created.
  5. Choose Save changes.

Check out HTTP Strict Transport Security Cheat Sheet

Thank you ! Please feel free to shoot your doubts/queries in comment.

Leave a comment